亚马逊VPC服务,虚拟私有云(Virtual Private Cloud),是把公有云上的云服务资源用网络隔离的方法模拟以用户为个体的云服务私有化服务,亚马逊官网上对其有如下定义:
简单来说,VPN能建立在公有云中的逻辑隔离
VPC到底是干嘛用的?
使用云服务首要在安全,Amazon的VPC允许用户在一个隔离的虚拟网络中提供计算资源,设定局域网,用户可以简便的由自己选择对外开放什么服务,也可以为资料库或较高保安要求的档案设定网络隔离,以虚拟的方式设定私有云中的的网络和系统架构,模拟以单个用户为单位的数据中心。
VPC好在哪里?
- VPC可以让用户一体化管理架构安全性,提供了安全组和网络访问控制列表等高级安全功能,以便在实例级别和子网级别启用入站和出站筛选功能。
- 容易使用及即时效应,您可以通过AWS 管理控制台快速又方便地创建及管理VPC,除了有“Start VPC Wizard”来帮助你自动创建范例架构里的子网、IP 范围、路由表和安全组,所作的修改也能立即生效,减省开发成本
VPC用在哪里?
- 设定公有子网及私有子网不论你有一个网站或者是APP后台,使用AWS VPC都是一个极佳的选择,使用VPC自带的创建功能便可设定公有子网及私有子网,为架构进行完整的网络分离,让网页或APP前端放置在公有子网中开放访问,把资料库,内存缓存服务器等存储用户或商务资料的资源放置在私有子网中保护起来。
若用户有自己的数据中心,或自己的本地网络,VPC的directconnect及VPN连接服务能将AWS云服务上的私有网络组合为一个完整的单一网络,简化架构及新服务建设
如果你想开始感受AWS VPC的基本功能,你可以从建立第一台机器开始
如何操作,可以参考下面的这个官方链接。
http://docs.aws.amazon.com/AmazonVPC/latest/GettingStartedGuide/GetStarted.html
----------
最后,和大家分享我们为客户制作的VPC cloudformation template, 基本上我们所有的客户的VPC设定都是基于这个设计,什么是AWS Cloudformation? 迟点再跟大家讨论
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "AWS CloudFormation Template to bring up a vpc with three public subnet,subnetone and subnettwo are in the same availability zone while subnet three is not, a gateway is attached to the three subnets,a route table with one route is attached to the three subnets",
"Parameters" : {
"AZ1" : {
"Type": "String",
"Description": "the user available Availability Zone 1"
},
"AZ2" : {
"Type": "String",
"Description": "the user available Availability Zone 2"
}
},
"Resources": {
"VPC": {
"Type": "AWS::EC2::VPC",
"Properties": {
"CidrBlock": "10.0.0.0/16",
"EnableDnsSupport" : true,
"EnableDnsHostnames" : true,
"Tags": [
{
"Key": "Application",
"Value": {
"Ref": "AWS::StackName"
}
},
{
"Key": "Network",
"Value": "Public"
},
{
"Key": "Name",
"Value": "CustomVpc"
}
]
}
},
"VpcSecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Open up SSH access and all ports to itself",
"SecurityGroupIngress": [
{
"IpProtocol": "tcp",
"FromPort": "22",
"ToPort": "22",
"CidrIp": "0.0.0.0/0"
}
],
"VpcId" : {"Ref" : "VPC"}
}
},
"SecurityGroupRule": {
"Type": "AWS::EC2::SecurityGroupIngress",
"DependsOn" : "VpcSecurityGroup",
"Properties": {
"GroupId" : {"Ref":"VpcSecurityGroup"},
"IpProtocol" : "-1",
"SourceSecurityGroupId" : {"Ref": "VpcSecurityGroup"}
}
},
"SecurityInetGroupRule": {
"Type": "AWS::EC2::SecurityGroupIngress",
"DependsOn" : "VpcSecurityGroup",
"Properties": {
"GroupId" : {"Ref":"VpcSecurityGroup"},
"IpProtocol" : "-1",
"CidrIp" : "10.0.0.0/16"
}
},
"PublicSubnetOne": {
"Type": "AWS::EC2::Subnet",
"Properties": {
"AvailabilityZone" : {"Ref" : "AZ1"},
"VpcId": {
"Ref": "VPC"
},
"CidrBlock": "10.0.0.0/24",
"Tags": [
{
"Key": "Application",
"Value": {
"Ref": "AWS::StackId"
}
},
{
"Key": "Network",
"Value": "Public"
}
]
}
},
"PublicSubnetTwo": {
"Type": "AWS::EC2::Subnet",
"DependsOn": "PublicSubnetOne",
"Properties": {
"VpcId": {
"Ref": "VPC"
},
"AvailabilityZone" : {"Ref" : "AZ1"},
"CidrBlock": "10.0.2.0/24",
"Tags": [
{
"Key": "Application",
"Value": {
"Ref": "AWS::StackId"
}
},
{
"Key": "Network",
"Value": "Public"
}
]
}
},
"PublicSubnetThree": {
"Type" : "AWS::EC2::Subnet",
"Properties" : {
"VpcId" : {"Ref" : "VPC"},
"AvailabilityZone" : {"Ref" : "AZ2"},
"CidrBlock" : "10.0.4.0/24",
"Tags" : [
{"Key" : "Application","Value" : {"Ref" : "AWS::StackId"}},
{"Key" : "Network","Value" : "Public"}
]
}
},
"InternetGateway": {
"Type": "AWS::EC2::InternetGateway",
"Properties": {
"Tags": [
{
"Key": "Application",
"Value": {
"Ref": "AWS::StackId"
}
},
{
"Key": "Network",
"Value": "Public"
}
]
}
},
"AttachGateway": {
"Type": "AWS::EC2::VPCGatewayAttachment",
"Properties": {
"VpcId": {
"Ref": "VPC"
},
"InternetGatewayId": {
"Ref": "InternetGateway"
}
}
},
"PublicRouteTable": {
"Type": "AWS::EC2::RouteTable",
"Properties": {
"VpcId": {
"Ref": "VPC"
},
"Tags": [
{
"Key": "Application",
"Value": {
"Ref": "AWS::StackId"
}
},
{
"Key": "Network",
"Value": "Public"
}
]
}
},
"PublicRouteOne": {
"Type": "AWS::EC2::Route",
"DependsOn": "AttachGateway",
"Properties": {
"RouteTableId": {
"Ref": "PublicRouteTable"
},
"DestinationCidrBlock": "0.0.0.0/0",
"GatewayId": {
"Ref": "InternetGateway"
}
}
},
"PubliSubnetOneRouteTableAssociation": {
"Type": "AWS::EC2::SubnetRouteTableAssociation",
"Properties": {
"SubnetId": {
"Ref": "PublicSubnetOne"
},
"RouteTableId": {
"Ref": "PublicRouteTable"
}
}
},
"PublicSubnetTwoRouteTableAssociation": {
"Type": "AWS::EC2::SubnetRouteTableAssociation",
"Properties": {
"SubnetId": {
"Ref": "PublicSubnetTwo"
},
"RouteTableId": {
"Ref": "PublicRouteTable"
}
}
},
"PublicSubnetThreeRouteTableAssociation" : {
"Type" : "AWS::EC2::SubnetRouteTableAssociation",
"Properties" : {
"SubnetId" : {"Ref" : "PublicSubnetThree"},
"RouteTableId" : {"Ref" : "PublicRouteTable"}
}
},
"PublicNetworkAcl": {
"Type": "AWS::EC2::NetworkAcl",
"Properties": {
"VpcId": {
"Ref": "VPC"
},
"Tags": [
{
"Key": "Application",
"Value": {
"Ref": "AWS::StackId"
}
},
{
"Key": "Network",
"Value": "Public"
}
]
}
},
"InboundHTTPPublicOneNetworkAclEntry": {
"Type": "AWS::EC2::NetworkAclEntry",
"Properties": {
"NetworkAclId": {
"Ref": "PublicNetworkAcl"
},
"RuleNumber": "100",
"Protocol": "6",
"RuleAction": "allow",
"Egress": "false",
"CidrBlock": "0.0.0.0/0",
"PortRange": {
"From": "80",
"To": "80"
}
}
},
"InboundHTTPSSHPublicOneNetworkAclEntry": {
"Type": "AWS::EC2::NetworkAclEntry",
"Properties": {
"NetworkAclId": {
"Ref": "PublicNetworkAcl"
},
"RuleNumber": "120",
"Protocol": "-1",
"RuleAction": "allow",
"CidrBlock" : "0.0.0.0/0",
"Egress": "false"
}
},
"InboundDynamicPortsPublicOneNetworkAclEntry": {
"Type": "AWS::EC2::NetworkAclEntry",
"Properties": {
"NetworkAclId": {
"Ref": "PublicNetworkAcl"
},
"RuleNumber": "101",
"Protocol": "6",
"RuleAction": "allow",
"Egress": "false",
"CidrBlock": "0.0.0.0/0",
"PortRange": {
"From": "1024",
"To": "65535"
}
}
},
"OutboundHTTPPublicOneNetworkAclEntry": {
"Type": "AWS::EC2::NetworkAclEntry",
"Properties": {
"NetworkAclId": {
"Ref": "PublicNetworkAcl"
},
"RuleNumber": "100",
"Protocol": "6",
"RuleAction": "Allow",
"Egress": "true",
"CidrBlock": "0.0.0.0/0",
"PortRange": {
"From": "80",
"To": "80"
}
}
},
"OutBoundDynamicPortPublicOneNetworkAclEntry": {
"Type": "AWS::EC2::NetworkAclEntry",
"Properties": {
"NetworkAclId": {
"Ref": "PublicNetworkAcl"
},
"RuleNumber": "150",
"Protocol": "-1",
"RuleAction": "allow",
"Egress": "true",
"CidrBlock": "0.0.0.0/0"
}
},
"PublicSubnetOneNetworkAclAssociation": {
"Type": "AWS::EC2::SubnetNetworkAclAssociation",
"Properties": {
"SubnetId": {
"Ref": "PublicSubnetOne"
},
"NetworkAclId": {
"Ref": "PublicNetworkAcl"
}
}
},
"PublicSubnetTwoNetworkAclAssociation": {
"Type": "AWS::EC2::SubnetNetworkAclAssociation",
"Properties": {
"SubnetId": {
"Ref": "PublicSubnetTwo"
},
"NetworkAclId": {
"Ref": "PublicNetworkAcl"
}
}
}
},
"Outputs": {
"VpcId": {
"Description": "the id of vpc you created",
"Value": {
"Ref": "VPC"
}
},
"VpcSecurityGroup":{
"Description": "the security group id in this VPC",
"Value" : {"Ref":"VpcSecurityGroup"}
},
"PublicSubnetOne": {
"Description": "the subnet one id ",
"Value": {
"Fn::Join" : ["",[
{"Ref" : "PublicSubnetOne"},
":",
{"Ref" : "AZ1"}
]]
}
},
"PublicSubnetTwo": {
"Description": "the subnet two id",
"Value": {
"Fn::Join" : ["",[
{"Ref" : "PublicSubnetTwo"},
":",
{"Ref" : "AZ1"}
]]
}
},
"PublicSubnetThree" : {
"Description" : "the subnet three id",
"Value" : {
"Fn::Join" : ["",[
{"Ref":"PublicSubnetThree"},
":",
{"Ref" : "AZ2"}
]]
}
}
}
}